Vulnerability Description
react-draft-wysiwyg (aka React Draft Wysiwyg) before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| React Draft Wysiwyg Project | React Draft Wysiwyg | < 1.14.6 |
Related Weaknesses (CWE)
References
- https://github.com/jpuri/react-draft-wysiwyg/commit/d2faeb612b53f10dff048de7dc57PatchThird Party Advisory
- https://github.com/jpuri/react-draft-wysiwyg/issues/1102ExploitIssue TrackingThird Party Advisory
- https://github.com/jpuri/react-draft-wysiwyg/pull/1104PatchThird Party Advisory
- https://github.com/jpuri/react-draft-wysiwyg/commit/d2faeb612b53f10dff048de7dc57PatchThird Party Advisory
- https://github.com/jpuri/react-draft-wysiwyg/issues/1102ExploitIssue TrackingThird Party Advisory
- https://github.com/jpuri/react-draft-wysiwyg/pull/1104PatchThird Party Advisory
FAQ
What is CVE-2021-31712?
CVE-2021-31712 is a vulnerability with a CVSS score of 5.4 (MEDIUM). react-draft-wysiwyg (aka React Draft Wysiwyg) before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to ...
How severe is CVE-2021-31712?
CVE-2021-31712 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-31712?
Check the references section above for vendor advisories and patch information. Affected products include: React Draft Wysiwyg Project React Draft Wysiwyg.